We have Fortinet FSSO in place and we have syslogs coming into Splunk. I need a way to report how much time users are spending on the Internet.
The rule below which is not providing accurate results for us. I narrowed my search window down to one day and for one user the result was: 13:57:59 and another user 05:27:38. Both users work an 8 hour shift. Also, when I run this against other users, most of them come back with approx. a full 7-8 hours of browsing time, which would be their entire shift. This was tested on users who are not spending nearly that much time actively browsing the Internet.
<usernamehere> | transaction user maxpause=5m | stats sum(duration) as browsing_time by user | sort -browsing_time | head 10 | fieldformat browsing_time = tostring(browsing_time,"duration")
Can someone help me either craft the proper rule. I understand it may not be 100% accurate due to Fortinet FSSO agent timeout/idle settings, but I need approximates.
Thank you in advance,
Lee
... View more